Threat Level: green Handler on Duty: Rick Wanner

SANS ISC: InfoSec Handlers Diary Blog - Normalizing IPv6 Addresses InfoSec Handlers Diary Blog


Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!

Normalizing IPv6 Addresses

Published: 2014-03-20
Last Updated: 2014-03-20 22:40:50 UTC
by Johannes Ullrich (Version: 1)
3 comment(s)

One of the annoyances with IPv6 addresses is that they may be abbreviated. Leading "0"s may be omitted, and groups of all ":0000:" may be replaced with "::". The key annoyance is the word "may". Some logs (for example iptables) will not abbreviate, others, like for example nginx or apache, will abbreviate, making correlating logs more difficultly.

Lately, I started using a little perl script to "normalize" my IPv6 addresses in logs. The script will insert all the missing "0"s making it easier to find a specific IP address. The script I am using:

#!/usr/bin/perl
 
use strict;
 
while (<> ) {
    my $line=$_;
    if ( $line=~/[0-9a-f:]+/ ) {
my $old=$&;
        my $new=fillv6($old);
$line=~ s/$old/$new/;
    }
    print $line;
}
 
 
sub fillv6 {
    my $in=shift;
    $in =~ s/^:/0000:/;
    my @parts=split(/:/,$in);
    my $partn=scalar @parts;
    if ( $partn < 7 ) {
my $x= ':0000' x (9-$partn);
$in =~ s/::/$x:/;
$in =~ s/:://g;
@parts=split(/:/,$in);
    }
    while ( my $part=each(@parts) ) {
$parts[$part] = sprintf("%04s",$parts[$part]);
    }
    return join(':',@parts);
}
What I could use is a bit more diverse IPv6 logs to see if it covers all possible cases. The script is right now in a "works for me" state, so let me know if it works for you too.
 

------
Johannes B. Ullrich, Ph.D.
SANS Technology Institute
Twitter

Keywords: ipv6
3 comment(s)
Diary Archives